California Attorney General Xavier Becerra lashed out at lawmakers for imposing “unworkable obligations and serious operational challenges” on his office by effectively making him the chief enforcer of the state's sweeping new data privacy law.

In an Aug. 22 letter to legislators who helped get the law passed in June, Becerra complained that his office is not equipped to handle all the related duties, including quickly drafting regulations and advising businesses about compliance with the California Consumer Privacy Act, or CCPA.

“Failure to cure these identified flaws will undermine California's authority to launch and sustain vigorous oversight and effective enforcement of the CCPA's critical privacy protections,” Becerra wrote in the letter, which was obtained by Eric Goldman, a Santa Clara University law school professor and critic of the new privacy rules.

Becerra also questioned the legality of the civil penalties included in the new law, which he said improperly modified the state's Unfair Competition Law, or UCL.

“The UCL's civil penalty laws were enacted by the voters through Proposition 64 in 2004 and cannot be amended through legislation,” Becerra wrote. The data-privacy law's “constitutional infirmity” can be cured “by simply replacing the CCPA's current penalty provision with a conventional stand-alone enforcement provision” that does not purport to change the Unfair Competition Law.

Becerra's press office declined to comment Wednesday on the letter.

Lawmakers tried to address some of the attorney general's concerns in clean-up legislation that was pending Wednesday in the Assembly. One bill, SB 1121, drops a requirement in the Consumer Privacy Act that consumers must first notify the attorney general's office before suing over a data breach. The pending legislation recasts the civil penalty provisions and delays enforcement of the new law until six months after the attorney general publishes new regulations or July 1, 2020—whichever is sooner.

A separately pending budget bill would also appropriate $700,000 to Becerra's office for help drafting and enforcing the new regulations.

The changes do not, however, include a broader private right of action—sought by the attorney general—that would shift the litigation burden to consumers. Such a provision would have attracted fierce opposition from business groups that oppose any expansion of plaintiffs' ability bring class actions and individual suits.

Becerra's beefs with the Consumer Privacy Act foreshadow the fights that are looming over the state's sweeping digital information law as interests, including those in government, push to alter its reach and enforcement before it goes into effect in 2020. The law was drafted in sometimes-frantic summer negotiations and enacted as an alternative to a broader privacy protection initiative that was ultimately pulled from the November ballot.

Privacy advocates have successfully staved off attempts by critics of the new law to make substantial changes before the legislative session ends Friday. But they know the battles that lie ahead.

“Certainly the privacy groups and assorted consumer groups, we know this is coming,” said Lee Tien, a senior staff attorney for the Electronic Frontier Foundation who worked on the original legislation. Tien said he expects advocates and opponents of the law to meet and negotiate even before the new legislative session starts in January.

The business lobby is already pushing to narrow what they have to disclose to consumers about information that is collected about them. Companies are also lobbying the federal government for industry friendly rules that would preempt California's new law.

“My experience is that stakeholders who have a lot of resources generally do everything at the same time,” Tien said. “They will talk to us in good faith. At the same time they'd be crazy not to be in D.C. seeing if they can get a better deal there. I'm not a Pollyanna.”

Becerra's letter is posted below:

|

Read more: